nmap包说明

NMAP(“网络映射”)是一个自由和开放源码(许可证)工具进行网络发现和安全审计。许多系统和网络管理员也觉得有用,如网络库存,管理服务升级计划和监控主机或服务的正常运行时间的任务。 NMAP使用原始IP包以新颖的方式来确定哪些主机是在网络上可用,这些主机正在提供什么样的服务(应用程序的名称和版本),什么操作系统(和OS版本),它们都在运行,什么类型的分组过滤器/防火墙在使用中,和许多其他特性。它的目的是快速扫描大型网络,但能正常工作对单个主机。 Nmap的运行在所有主要计算机操作系统,和官方的二进制软件包可用于Linux,Windows和Mac OS X的除了经典的命令行Nmap的可执行文件,nmap的套件包括一个先进的GUI和结果浏览器(Zenmap)一种灵活的数据传送,重定向和调试工具(NCAT),用于比较扫描结果(Ndiff)的实用程序,并且一个分组产生和响应分析工具(Nping)。 Nmap的被评为“年度安全产品”,由Linux杂志,信息世界,LinuxQuestions.Org和Codetalker摘要。有人甚至功能十二电影,包括重装上阵,虎胆龙威4,女孩龙纹身,和谍影重重。 Nmap是比较合适?

  • 灵活:支持数十台先进的技术映射出网络充满了IP过滤,防火墙,路由器和其他障碍。这包括许多端口扫描机制(包括TCP和UDP),操作系统检测,版本检测,ping扫描,等等。请参阅文档页面。
  • 功能强大:Nmap的已被用来扫描字面上机数十万庞大的网络。
  • 便携性:大多数操作系统都支持,包括Linux,微软的Windows,FreeBSD下,OpenBSD系统,Solaris和IRIX,Mac OS X中,HP-UX,NetBSD的,SUN OS,Amiga的,等等。
  • 很简单:虽然Nmap的提供了一套丰富的先进功能的电力用户,你可以开始作为简称为“NMAP -v -A targethost”。这两种传统的命令行和图形(GUI)版本可供选择,以满足您的喜好。二进制文件是为那些谁不希望从源代码编译的Nmap。
  • 免费:在Nmap的项目的主要目标是帮助使互联网更安全一点,并为管理员提供/审计/黑客探索他们的网络的先进工具。 NMAP是可以免费下载,并且还配备了完整的源代码,你可以修改,并根据许可协议的条款重新分发。
  • 有据可查:重大努力已投入全面和最新的手册页,白皮书,教程,甚至一整本书!发现他们在这里多国语言。
  • 支持:虽然Nmap的同时没有担保,这是深受开发者和用户一个充满活力的社区提供支持。大多数这种相互作用发生在Nmap的邮件列表。大多数的bug报告和问题应该发送到NMAP-dev邮件列表,但你读的指引之后。我们建议所有用户订阅低流量的nmap-黑客公布名单。您还可以找到的Nmap在Facebook和Twitter。对于即时聊天,加入Freenode上或连接到efnet的#nmap通道。
  • 好评:Nmap的赢得了无数奖项,包括“信息安全产品奖”,由Linux杂志,信息世界和Codetalker文摘。它已被刊登在数以百计的杂志文章,几部电影,几十本书,一本漫画书系列。访问进一步的细节新闻页面。
  • 热门:成千上万的人下载Nmap的每一天,它包含许多操作系统(红帽Linux,Debian的Linux中,Gentoo的,FreeBSD下,OpenBSD的,等等)。它是在Freshmeat.Net库的前十名(总分30000)方案之间。这是很重要的,因为它的Nmap借给其充满活力的发展和用户的支持群体。 资料来源:http://nmap.org/

Nmap的首页 | 卡利Nmap的回购

  • 作者:陀
  • 许可:GPL第二版

    0x01 包含在nmap包工具

    nping - 网络数据包生成工具/ Ping实用程序
    :~# nping -h
    Nping 0.6.40 ( http://nmap.org/nping )
    Usage: nping [Probe mode] [Options] {target specification}
    TARGET SPECIFICATION:
    Targets may be specified as hostnames, IP addresses, networks, etc.
    Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.*.1-24
    PROBE MODES:
    --tcp-connect                    : Unprivileged TCP connect probe mode.
    --tcp                            : TCP probe mode.
    --udp                            : UDP probe mode.
    --icmp                           : ICMP probe mode.
    --arp                            : ARP/RARP probe mode.
    --tr, --traceroute               : Traceroute mode (can only be used with
                                       TCP/UDP/ICMP modes).
    TCP CONNECT MODE:
     -p, --dest-port <port spec>     : Set destination port(s).
     -g, --source-port <portnumber>  : Try to use a custom source port.
    TCP PROBE MODE:
     -g, --source-port <portnumber>  : Set source port.
     -p, --dest-port <port spec>     : Set destination port(s).
     --seq <seqnumber>               : Set sequence number.
     --flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
     --ack <acknumber>               : Set ACK number.
     --win <size>                    : Set window size.
     --badsum                        : Use a random invalid checksum.
    UDP PROBE MODE:
     -g, --source-port <portnumber>  : Set source port.
     -p, --dest-port <port spec>     : Set destination port(s).
     --badsum                        : Use a random invalid checksum.
    ICMP PROBE MODE:
    --icmp-type <type>               : ICMP type.
    --icmp-code <code>               : ICMP code.
    --icmp-id <id>                   : Set identifier.
    --icmp-seq <n>                   : Set sequence number.
    --icmp-redirect-addr <addr>      : Set redirect address.
    --icmp-param-pointer <pnt>       : Set parameter problem pointer.
    --icmp-advert-lifetime <time>    : Set router advertisement lifetime.
    --icmp-advert-entry <IP,pref>    : Add router advertisement entry.
    --icmp-orig-time  <timestamp>    : Set originate timestamp.
    --icmp-recv-time  <timestamp>    : Set receive timestamp.
    --icmp-trans-time <timestamp>    : Set transmit timestamp.
    ARP/RARP PROBE MODE:
    --arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply.
    --arp-sender-mac <mac>           : Set sender MAC address.
    --arp-sender-ip  <addr>          : Set sender IP address.
    --arp-target-mac <mac>           : Set target MAC address.
    --arp-target-ip  <addr>          : Set target IP address.
    IPv4 OPTIONS:
    -S, --source-ip                  : Set source IP address.
    --dest-ip <addr>                 : Set destination IP address (used as an
                                       alternative to {target specification} ).
    --tos <tos>                      : Set type of service field (8bits).
    --id  <id>                       : Set identification field (16 bits).
    --df                             : Set Don't Fragment flag.
    --mf                             : Set More Fragments flag.
    --ttl <hops>                     : Set time to live [0-255].
    --badsum-ip                      : Use a random invalid checksum.
    --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
    --ip-options <hex string>                    : Set IP options
    --mtu <size>                     : Set MTU. Packets get fragmented if MTU is
                                       small enough.
    IPv6 OPTIONS:
    -6, --IPv6                       : Use IP version 6.
    --dest-ip                        : Set destination IP address (used as an
                                       alternative to {target specification}).
    --hop-limit                      : Set hop limit (same as IPv4 TTL).
    --traffic-class <class> :        : Set traffic class.
    --flow <label>                   : Set flow label.
    ETHERNET OPTIONS:
    --dest-mac <mac>                 : Set destination mac address. (Disables
                                       ARP resolution)
    --source-mac <mac>               : Set source MAC address.
    --ether-type <type>              : Set EtherType value.
    PAYLOAD OPTIONS:
    --data <hex string>              : Include a custom payload.
    --data-string <text>             : Include a custom ASCII text.
    --data-length <len>              : Include len random bytes as payload.
    ECHO CLIENT/SERVER:
    --echo-client <passphrase>       : Run Nping in client mode.
    --echo-server <passphrase>       : Run Nping in server mode.
    --echo-port <port>               : Use custom <port> to listen or connect.
    --no-crypto                      : Disable encryption and authentication.
    --once                           : Stop the server after one connection.
    --safe-payloads                  : Erase application data in echoed packets.
    TIMING AND PERFORMANCE:
    Options which take <time> are in seconds, or append 'ms' (milliseconds),
    's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
    --delay <time>                   : Adjust delay between probes.
    --rate  <rate>                   : Send num packets per second.
    MISC:
    -h, --help                       : Display help information.
    -V, --version                    : Display current version number.
    -c, --count <n>                  : Stop after <n> rounds.
    -e, --interface <name>           : Use supplied network interface.
    -H, --hide-sent                  : Do not display sent packets.
    -N, --no-capture                 : Do not try to capture replies.
    --privileged                     : Assume user is fully privileged.
    --unprivileged                   : Assume user lacks raw socket privileges.
    --send-eth                       : Send packets at the raw Ethernet layer.
    --send-ip                        : Send packets using raw IP sockets.
    --bpf-filter <filter spec>       : Specify custom BPF filter.
    OUTPUT:
    -v                               : Increment verbosity level by one.
    -v[level]                        : Set verbosity level. E.g: -v4
    -d                               : Increment debugging level by one.
    -d[level]                        : Set debugging level. E.g: -d3
    -q                               : Decrease verbosity level by one.
    -q[N]                            : Decrease verbosity level N times
    --quiet                          : Set verbosity and debug level to minimum.
    --debug                          : Set verbosity and debug to the max level.
    EXAMPLES:
    nping scanme.nmap.org
    nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
    nping --icmp --icmp-type time --delay 500ms 192.168.254.254
    nping --echo-server "public" -e wlan0 -vvv
    nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
    SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
    

    0x02 ndiff - 实用工具来比较的Nmap扫描结果

    :~# ndiff -h
    Usage: /usr/bin/ndiff [option] FILE1 FILE2
    Compare two Nmap XML files and display a list of their differences.
    Differences include host state changes, port state changes, and changes to
    service and OS detection.
    -h, --help     display this help
    -v, --verbose  also show hosts and ports that haven't changed.
    --text         display output in text format (default)
    --xml          display output in XML format
    

    0x03 NCAT - 串联并重定向插座

    :~# ncat -h
    Ncat 6.40 ( http://nmap.org/ncat )
    Usage: ncat [options] [hostname] [port]
    Options taking a time assume seconds. Append 'ms' for milliseconds,
    's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
    -4                         Use IPv4 only
    -6                         Use IPv6 only
    -U, --unixsock             Use Unix domain sockets only
    -C, --crlf                 Use CRLF for EOL sequence
    -c, --sh-exec <command>    Executes the given command via /bin/sh
    -e, --exec <command>       Executes the given command
        --lua-exec <filename>  Executes the given Lua script
    -g hop1[,hop2,...]         Loose source routing hop points (8 max)
    -G <n>                     Loose source routing hop pointer (4, 8, 12, ...)
    -m, --max-conns <n>        Maximum <n> simultaneous connections
    -h, --help                 Display this help screen
    -d, --delay <time>         Wait between read/writes
    -o, --output <filename>    Dump session data to a file
    -x, --hex-dump <filename>  Dump session data as hex to a file
    -i, --idle-timeout <time>  Idle read/write timeout
    -p, --source-port port     Specify source port to use
    -s, --source addr          Specify source address to use (doesn't affect -l)
    -l, --listen               Bind and listen for incoming connections
    -k, --keep-open            Accept multiple connections in listen mode
    -n, --nodns                Do not resolve hostnames via DNS
    -t, --telnet               Answer Telnet negotiations
    -u, --udp                  Use UDP instead of default TCP
        --sctp                 Use SCTP instead of default TCP
    -v, --verbose              Set verbosity level (can be used several times)
    -w, --wait <time>          Connect timeout
        --append-output        Append rather than clobber specified output files
        --send-only            Only send data, ignoring received; quit on EOF
        --recv-only            Only receive data, never send anything
        --allow                Allow only given hosts to connect to Ncat
        --allowfile            A file of hosts allowed to connect to Ncat
        --deny                 Deny given hosts from connecting to Ncat
        --denyfile             A file of hosts denied from connecting to Ncat
        --broker               Enable Ncat's connection brokering mode
        --chat                 Start a simple Ncat chat server
        --proxy <addr[:port]>  Specify address of host to proxy through
        --proxy-type <type>    Specify proxy type ("http" or "socks4")
        --proxy-auth <auth>    Authenticate with HTTP or SOCKS proxy server
        --ssl                  Connect or listen with SSL
        --ssl-cert             Specify SSL certificate file (PEM) for listening
        --ssl-key              Specify SSL private key (PEM) for listening
        --ssl-verify           Verify trust and domain name of certificates
        --ssl-trustfile        PEM file containing trusted SSL certificates
        --version              Display Ncat's version information and exit
    See the ncat(1) manpage for full options, descriptions and usage examples
    

    0x04 NMAP - 网络映射

    :~# nmap -h
    Nmap 6.40 ( http://nmap.org )
    Usage: nmap [Scan Type(s)] [Options] {target specification}
    TARGET SPECIFICATION:
    Can pass hostnames, IP addresses, networks, etc.
    Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
    -iL <inputfilename>: Input from list of hosts/networks
    -iR <num hosts>: Choose random targets
    --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
    --excludefile <exclude_file>: Exclude list from file
    HOST DISCOVERY:
    -sL: List Scan - simply list targets to scan
    -sn: Ping Scan - disable port scan
    -Pn: Treat all hosts as online -- skip host discovery
    -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
    -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
    -PO[protocol list]: IP Protocol Ping
    -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
    --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
    --system-dns: Use OS's DNS resolver
    --traceroute: Trace hop path to each host
    SCAN TECHNIQUES:
    -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
    -sU: UDP Scan
    -sN/sF/sX: TCP Null, FIN, and Xmas scans
    --scanflags <flags>: Customize TCP scan flags
    -sI <zombie host[:probeport]>: Idle scan
    -sY/sZ: SCTP INIT/COOKIE-ECHO scans
    -sO: IP protocol scan
    -b <FTP relay host>: FTP bounce scan
    PORT SPECIFICATION AND SCAN ORDER:
    -p <port ranges>: Only scan specified ports
      Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
    -F: Fast mode - Scan fewer ports than the default scan
    -r: Scan ports consecutively - don't randomize
    --top-ports <number>: Scan <number> most common ports
    --port-ratio <ratio>: Scan ports more common than <ratio>
    SERVICE/VERSION DETECTION:
    -sV: Probe open ports to determine service/version info
    --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
    --version-light: Limit to most likely probes (intensity 2)
    --version-all: Try every single probe (intensity 9)
    --version-trace: Show detailed version scan activity (for debugging)
    SCRIPT SCAN:
    -sC: equivalent to --script=default
    --script=<Lua scripts>: <Lua scripts> is a comma separated list of
             directories, script-files or script-categories
    --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
    --script-args-file=filename: provide NSE script args in a file
    --script-trace: Show all data sent and received
    --script-updatedb: Update the script database.
    --script-help=<Lua scripts>: Show help about scripts.
             <Lua scripts> is a comma separted list of script-files or
             script-categories.
    OS DETECTION:
    -O: Enable OS detection
    --osscan-limit: Limit OS detection to promising targets
    --osscan-guess: Guess OS more aggressively
    TIMING AND PERFORMANCE:
    Options which take <time> are in seconds, or append 'ms' (milliseconds),
    's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
    -T<0-5>: Set timing template (higher is faster)
    --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
    --min-parallelism/max-parallelism <numprobes>: Probe parallelization
    --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
        probe round trip time.
    --max-retries <tries>: Caps number of port scan probe retransmissions.
    --host-timeout <time>: Give up on target after this long
    --scan-delay/--max-scan-delay <time>: Adjust delay between probes
    --min-rate <number>: Send packets no slower than <number> per second
    --max-rate <number>: Send packets no faster than <number> per second
    FIREWALL/IDS EVASION AND SPOOFING:
    -f; --mtu <val>: fragment packets (optionally w/given MTU)
    -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
    -S <IP_Address>: Spoof source address
    -e <iface>: Use specified interface
    -g/--source-port <portnum>: Use given port number
    --data-length <num>: Append random data to sent packets
    --ip-options <options>: Send packets with specified ip options
    --ttl <val>: Set IP time-to-live field
    --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
    --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
    OUTPUT:
    -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
       and Grepable format, respectively, to the given filename.
    -oA <basename>: Output in the three major formats at once
    -v: Increase verbosity level (use -vv or more for greater effect)
    -d: Increase debugging level (use -dd or more for greater effect)
    --reason: Display the reason a port is in a particular state
    --open: Only show open (or possibly open) ports
    --packet-trace: Show all packets sent and received
    --iflist: Print host interfaces and routes (for debugging)
    --log-errors: Log errors/warnings to the normal-format output file
    --append-output: Append to rather than clobber specified output files
    --resume <filename>: Resume an aborted scan
    --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
    --webxml: Reference stylesheet from Nmap.Org for more portable XML
    --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
    MISC:
    -6: Enable IPv6 scanning
    -A: Enable OS detection, version detection, script scanning, and traceroute
    --datadir <dirname>: Specify custom Nmap data file location
    --send-eth/--send-ip: Send using raw ethernet frames or IP packets
    --privileged: Assume that the user is fully privileged
    --unprivileged: Assume the user lacks raw socket privileges
    -V: Print version number
    -h: Print this help summary page.
    EXAMPLES:
    nmap -v -A scanme.nmap.org
    nmap -v -sn 192.168.0.0/16 10.0.0.0/8
    nmap -v -iR 10000 -Pn -p 80
    SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
    

    0x05 NMAP用法示例

    在扫描详细模式 (-v), 启用操作系统检测,版本检测,脚本扫描,和 traceroute(-A), 版本 检测(-sV) 针对目标 IP(192.168.1.1):
:~# nmap -v -A -sV 192.168.1.1
Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-13 18:40 MDT
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 18:40
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 18:40, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:40
Completed Parallel DNS resolution of 1 host. at 18:40, 0.00s elapsed
Initiating SYN Stealth Scan at 18:40
Scanning router.localdomain (192.168.1.1) [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 3001/tcp on 192.168.1.1

0x06 nping用法示例

使用TCP 模式(-tcp) 使用SYN标志探测端口 22(-p 22)(-flags

  • SYN)2(TTL电2) 在远程主机上的 TTL(192.168.1.1):

0x07 ndiff用法示例

对比昨天的端口扫描 (yesterday.xml) 自即日起扫描 (today.xml):

:~# ndiff yesterday.xml today.xml
-Nmap 6.45 scan initiated Tue May 13 18:46:43 2014 as: nmap -v -F -oX yesterday.xml 192.168.1.1
+Nmap 6.45 scan initiated Tue May 13 18:47:58 2014 as: nmap -v -F -oX today.xml 192.168.1.1
 endian.localdomain (192.168.1.1, 00:01:6C:6F:DD:D1):
-Not shown: 96 filtered ports
+Not shown: 97 filtered ports
 PORT   STATE SERVICE VERSION
-22/tcp open  ssh

0x08 NCAT用法示例

详细(-v), 可以运行/ bin / bash的连接上 (-exec“/斌/庆典”), 只允许1个IP地址 (-ALLOW 192.168.1.123), 监听TCP端口 4444(-l 4444) 上,并让听众开上断开 (-keep开):

:~# ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444 --keep-open
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.1.123.
Ncat: Connection from 192.168.1.123:39501.
Ncat: Connection from 192.168.1.15.
Ncat: Connection from 192.168.1.15:60393.
Ncat: New connection denied: not allowed

原文来自https://www.hackfun.org/kali-tools/nmap_zh.html。转载请注明原出处,商用请联系原作者授权。

results matching ""

    No results matching ""